Creating roles or trusted contexts with the SECADM authority
If you separate security administration from system and database administration, you need to have the SECADM authority to manage security-related objects in Db2 and control access to all database objects and resources in a subsystem.
Before you begin
To separate security administration from system administration, you must set the SEPARATE_SECURITY system parameter on panel DSNTIPP1 to YES during installation or migration.
If you set field 1 (RESTART or DEFER) to DEFER and set field 2 (objects to restart or defer) to ALL in installation panel DSNTIPS, you cannot use trusted connections.
About this task
With the separation of security administration from system administration, the SYSADM authority can no longer define roles or trusted contexts or manage any other security-related objects; the SECADM authority is, instead, responsible for performing security administrative tasks, including creating roles and trusted contexts, activating row and column access control, and granting security-related authorities and privileges on objects.
Procedure
To create roles or trusted contexts with the SECADM authority:
- Issue the following CREATE ROLE statement to create CTXROLE
by using an authorization ID or role that is given the SECADM authority.
If SEPARATE_SECURITY is set to YES, the SECADM authority is required to create roles and trusted contexts.
CREATE ROLE CTXROLE;
Db2 checks to make sure that you have the required privilege to create roles and, upon successful verification, allows the creation of role CTXROLE.
- Issue the following CREATE TRUSTED CONTEXT statement to
create CTX1 and associate CTXROLE with CTX1:
CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID USER1 DEFAULT ROLE CTXROLE ATTRIBUTES (ADDRESS '9.67.40.219') WITH USE FOR USER2, USER3 ENABLE; Db2 checks to make sure that you have the required privilege to create trusted contexts and, upon successful verification, allows the creation of trusted context CTX1.